---
- name: install python-cryptography
  apt:
    name: "{{ python_basename }}-cryptography"
    state: present

- name: create base directory
  file:
    path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}"
    state: directory

- name: create server cert/key directory
  file:
    path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server"
    state: directory
    owner: root
    group: root
    mode: 0750

- name: create private key for server certificate
  openssl_privatekey:
    path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/key.pem"
    type: RSA
    size: 4096
    owner: root
    group: root
    mode: 0400
  notify: restart openvpn-server

- name: create signing request for server certificate
  openssl_csr:
    path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/csr.pem"
    privatekey_path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/key.pem"
    CN: "{{ inventory_hostname }}"
    key_usage:
    - digitalSignature
    - keyEncipherment
    key_usage_critical: yes
    extended_key_usage:
    - serverAuth
    extended_key_usage_critical: yes
    basic_constraints:
    - 'CA:FALSE'
    basic_constraints_critical: yes

- name: slurp CSR
  slurp:
    src: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/csr.pem"
  register: openvpn_server_csr

- name: check if server certificate exists
  stat:
    path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/crt.pem"
  register: openvpn_server_cert

- name: read server certificate validity
  when: openvpn_server_cert.stat.exists
  openssl_certificate_info:
    path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/crt.pem"
    valid_at:
      ten_years: '+3650d' ## 10 years
  register: openvpn_server_cert_info

- name: slurp existing server certificate
  when: openvpn_server_cert.stat.exists
  slurp:
    src: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/crt.pem"
  register: openvpn_server_cert_current

- name: generate server certificate
  delegate_to: "{{ openvpn_zone.ca_host }}"
  community.crypto.x509_certificate_pipe:
    content: "{{ openvpn_server_cert_current.content | default('') | b64decode }}"
    csr_content: "{{ openvpn_server_csr.content | b64decode }}"
    provider: ownca
    ownca_path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/ca-crt.pem"
    ownca_privatekey_path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/ca/key.pem"
    ownca_digest: sha256
    ownca_not_after: "+18250d" ## 50 years
    force: "{{ openvpn_server_cert.stat.exists and (not openvpn_server_cert_info.valid_at.ten_years) }}"
  register: openvpn_server_cert

- name: store server certificate
  copy:
    content: "{{ openvpn_server_cert.certificate }}"
    dest: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/crt.pem"
  notify: restart openvpn-server

- name: slurp CA certificate
  delegate_to: "{{ openvpn_zone.ca_host }}"
  slurp:
    src: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/ca-crt.pem"
  register: openvpn_server_ca_certificate

- name: install CA certificate
  copy:
    content: "{{ openvpn_server_ca_certificate.content | b64decode }}"
    dest: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/ca-crt.pem"

- name: generate Diffie-Hellman parameters
  openssl_dhparam:
    path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/dhparams.pem"
    size: 2048
  notify: restart openvpn-server